Catching up on XKCD

See you on 9/23

Digital Nit Picking

Over the last few months I’ve been doing a lot of work with the Stop Badware group. The charter of the team is to provide a Net neighborhood watch program. It started out with shutting down adware and spyware providers but lately the cases are mostly victims of digital parasites. The problem has been framed in articles before as iframe injection or javascript injection attacks. I’ve been calling the attackers nits lately after the lice they remind me of. Most of the code injections occur at the edges of a html document. The spiders/robots used must be programed to infest a page around <body> and <html> tags. It’s an interesting resemblence to head lice which infest humans around the scalp line but not often deeper into the scalp.
To take the analogy further digitally lousy websites are not an indication that the owners are unsanitary. In the past, websites known to infect those who visit were of the porn or warez variety. But very average sites commonly become infected these days until they are detected and notified. They are sometimes shocked and humiliated when they discover that they have become infected even though they don’t have any reason to be. These small and medium sized business owners have no way of affording a $200/hr security consultant to inspect their code and web server for flaws. And despite their protests, Google and others are providing a public service by isolating the infectious from the general population. Since the Internet is not built upon a central command and control model it is difficult to shut down the sites those injected frames and scripts point to. Isolation is the only real method to slow down the infection rate.

Stay tuned, this tension between public good and small and medium business will only become more interesting with time.

ps. Even though I do work for SBW I in no way represent their opinions or values. Technically I’m not even staff.

Metasploit 3.0 (now with more ruby)

The Metasploit Framework (“Metasploit”) is a development platform for
creating security tools and exploits. Version 3.0 contains 177
exploits, 104 payloads, 17 encoders, and 3 nop modules. Additionally,
30 auxiliary modules are included that perform a wide range of tasks,
including host discovery, protocol fuzzing, and denial of service testing.

The revolution will be posted

(22:38:46) zeroday: take notes. the revolution is coming. (it will be posted on youtube)
(22:39:02) doubleR: no, it will be copied and posted on youtube
(22:39:12) doubleR: then, it will be taken down by a viacom c&d

Beansec 七

谢谢 to everyone that made it out last night to Beansec. I have been so swamped with work and school that I didn’t have time to blog about it yet still 18-20 of you showed up! We are scheduled for the same time next month (3rd Wednesday).
Great topics that were discussed

Extending legal protections to security researchers
“Impact Factors” for vulnerabilities
The Pinkertons
The Security “Bubble”

Handbrake for Ubuntu

Original from
(modified slightly to fix url issue and update to 0.71)

sudo apt-get install nasm build-essential devscripts fakeroot
mkdir ~/tmp
cd tmp
dpkg-source -x x264_0.0.20050906-1.dsc
cd x264-0.0.20050906/
dpkg-buildpackage -rfakeroot
cd ..
sudo dpkg -i *.deb
sudo apt-get install debhelper libgtk2.0-dev jam nasm liba52-dev libavcodec-dev libdvdcss2-dev libdvdread3-dev libfaac-dev libmpeg2-4-dev liblame-dev libmp4v2-dev libogg-dev libsamplerate-dev libvorbis-dev libwxgtk2.6-dev libx264-dev libxvidcore-dev
tar -xzvf HandBrake-0.7.1.tar.gz
cd HandBrake-0.7.1
sudo cp HBTest /usr/local/bin/handbrake

Make movies like this:
handbrake -e xvid -E ac3 -2 -S 1400 -i /dev/cdrom -o MOVIENAME.avi

Impressions from Beyond Broadcast


A sample evasion technique

The following code creates the file c:\donothing.txt according to the Sandbox Analyzer, while it creates the file c:\breakstuff.txt on a real computer running a real copy of Windows.

unsigned char idt[6];

sidt idt
if ((0x00 == idt[0]) && (0x08 == idt[1]))
fp = fopen(“c:\\donothing.txt”, “w”);
fp = fopen(“c:\\breakstuff.txt”, “w”);


MS Vista, degenerative technology analysis (part 1)

One commenter on asked what the sense of my article is. Is it just that Microsoft Vista will introduce new levels of encryption to the playback of HD content? I wish it were as simple as that. And this goes way beyond the idea that consumers will have to pay for the extra components on the video cards which will not be used if they don’t play HD content. It goes way beyond the fact that pirated HD content is already available which invalidates all their efforts to date. The real issue that warrants your attention is that Microsoft has teamed up with the entertainment industries (RIAA + MPAA) to create an operating system that can control what you do, where you do it, and how you do it. The real issue is that they are collectively pushing degenerative technology which is causing a cultural backslide.

The new features which create “pipelines” to secure audio and video ensure that consumers can not play movies or music on devices that are not approved. More then ever, the industries who produce the entertainment consumed by the masses treat those very same people as potential criminals. Microsoft isn’t kowtowing to demands; they are gladly aiding the entertainment industry to fight a battle they themselves are waging. Piracy affects anyone who distributes products under a restrictive copyright regime. Unlike what many a blog commenter has tried to argue DRM is not free. There are significant costs involved which I have tried to outline in my previous articles in the form of additional hardware, resource usage, engineering time, technical support, and PR spin to counter people like me who are against such things. One commenter on the windowsvistablog was nice enough to extract all six mentions of who is paying for these restrictions. The consumer.

Yet if one were to conduct a survey among users I would find it difficult to believe that anyone would list DRM high on their wish list. It’s difficult to imagine someone asking for “computers which run software you can’t see, can’t understand, can’t control, and which reports to other people what is going on in your network without your ability to interrupt or do anything?”. Even if the payoff is the ability to play back HD content from major studios. This is the leverage that Microsoft has touted from the beginning and their hope is that consumers value this “ability” so highly as to turn a blind eye to the degenerative methodologies embedded in the very core of their new operating system.

Part of the adherence to the Advanced Access Content System (AACS) specifications is the deliberate obfuscation of drivers and the withdrawal of open hardware specifications. When an approved device is given a piece of HD content the operating system begins negotiating with the device to verify that it is real and authentic. To accomplish this, undocumented calls are made to the device verifying that it is not a fake device intent on viewing unencrypted frames of the premium content. How does this affect you? Dave Marsh responded that “HFS uses additional chip characteristics other than those needed to write a driver. HFS requirements should not prevent the disclosure of all the information needed to write drivers.” What he doesn’t mention is that the authors of the drivers for future video hardware are under contract to obfuscate their code and keep their specifications closed. Closed specifications affect hardware design for ALL operating systems. Free software driver developers will find less and less publicly available documentation. One of the commenters on my original post had a great response which I’m including here.

“I don’t care about ‘premium content’, neither copied nor purchased, and yet I, as a software developer, have to live with the fact that it’s hard to use 3D graphics cards using free drivers. Thanks to the deal between the likes of MPAA-Microsoft-ATI, the situation won’t improve, it will only get worse. “